Closed jvanz closed 2 years ago
As far as I can see we can replace the NeuVector rule with our policy user-group-psp-policy. It also checks the user in containers. By the way, our policy check more things. As we can see in the neuvector/controller/rest/admwebhook.go
file Neuvector get the user from the container or pod spec (container has precedence). But it does not check init containers. Our policy does.
Ah! One thing that our policy does not do is to check the PodSec security context. Our policy only checks the containers security context. Therefore, I think we should change the user-group-policy to check the podspec security context as well. @kubewarden/kubewarden-developers
Let's close this issue and track that via https://github.com/kubewarden/user-group-psp-policy/issues/36
Compare the admission controller from Neuvector checking how its policy to control container user works. The goal if to figure out if Kubewarden policy is equivalent against it.